Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-12-16 08:57:03 +01:00
Code Issues Projects Releases Wiki Activity

fix: use /etc/openvpn/server/ for tls-crypt-v2 temp files (#1393)

Browse Source 
## Summary

- Fix tls-crypt-v2 client key generation failing on Ubuntu 25.04+ with
"Permission denied"
- Add Ubuntu 25.10 to CI test matrix

## Root Cause

Ubuntu 25.04 introduced an AppArmor profile for openvpn
(`/etc/apparmor.d/openvpn`) that restricts where the binary can write.
The allowed paths are:
- `/etc/openvpn/{,**}`
- `@{HOME}/**` (owner only)

The script was using `mktemp` which creates files in `/tmp`, causing the
error:
```
Cannot open file '/tmp/tmp.XXX' for write: Permission denied (errno=13)
```

## Fix

Changed the temp file location from `/tmp` to `/etc/openvpn/server/`:
```bash
# Before
tls_crypt_v2_tmpfile=$(mktemp)

# After
tls_crypt_v2_tmpfile=$(mktemp /etc/openvpn/server/tls-crypt-v2-client.XXXXXX)
```

Fixes #1391
This commit is contained in:
Stanislas
2025-12-14 00:23:43 +01:00
committed by GitHub
parent 8ea2d1b5b2
commit cb0ef7b1c2
2 changed files with 12 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/docker-test.yml vendored
View File

@@ -30,6 +30,8 @@ jobs:
image: ubuntu:22.04
- name: ubuntu-24.04
image: ubuntu:24.04
- name: ubuntu-25.10
image: ubuntu:25.10
- name: debian-11
image: debian:11
- name: debian-12

14
openvpn-install.sh
View File

@@ -1140,9 +1140,10 @@ function installOpenVPN() {
esac
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
# Note: 2>/dev/null suppresses "Broken pipe" errors from fold when head exits early
SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 2>/dev/null | head -n 1)"
echo "$SERVER_CN" >SERVER_CN_GENERATED
SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 2>/dev/null | head -n 1)"
echo "$SERVER_NAME" >SERVER_NAME_GENERATED
# Create the PKI, set up the CA, the DH params and the server certificate
@@ -1707,8 +1708,13 @@ function generateClientConfig() {
case $tls_sig in
1)
# Generate per-client tls-crypt-v2 key using secure temp file
tls_crypt_v2_tmpfile=$(mktemp)
# Generate per-client tls-crypt-v2 key in /etc/openvpn/server/
# Using /tmp would fail on Ubuntu 25.04+ due to AppArmor restrictions
tls_crypt_v2_tmpfile=$(mktemp /etc/openvpn/server/tls-crypt-v2-client.XXXXXX)
if [[ -z "$tls_crypt_v2_tmpfile" ]] || [[ ! -f "$tls_crypt_v2_tmpfile" ]]; then
log_error "Failed to create temporary file for tls-crypt-v2 client key"
exit 1
fi
if ! openvpn --tls-crypt-v2 /etc/openvpn/server/tls-crypt-v2.key \
--genkey tls-crypt-v2-client "$tls_crypt_v2_tmpfile"; then
rm -f "$tls_crypt_v2_tmpfile"